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Abstract 

We describe an algorithm for counting points on an arbitrary hyperelliptic curve 
over a finite field ¥pn of odd characteristic, using Monsky-Washnitzer cohomology to 
compute a p-adic approximation to the characteristic polynomial of Frobenius. For 
fixed p, the asymptotic running time for a curve of genus g over F^n with a rational 
Weierstrass point is 0{g'^^''n^~^^). 



1 Introduction 

An important problem in computational algebraic geometry is the enumeration of points on 
algebraic varieties over finite fields, or more precisely the determination of their zeta func- 
tions. Much work so far on this problem has focused on curves of genus 1. Initial approaches, 
like the Shanks-Mestre method 0, Section 7.4.3], yield algorithms with exponential running 
time in the length of the input data (which is roughly the logarithm of the field size). Schoof 
||r3| gave an algorithm for counting points on a genus 1 curve over which is polynomial 
in log(g); this algorithm was improved by Atkin and Elkies. For fields of fixed (or at least 
small) characteristic, an algorithm given by Satoh []T2[ has smaller asymptotic running time 



than Schoof 's algorithm; an implementation is described in detail in |^. 

Extending the aforementioned methods to curves of higher genus has to date yielded 
unsatisfactory results. The Shanks-Mestre method is exponential both in the field size and 
in the genus. Schoof 's algorithm, which is roughly to compute the characteristic polynomial 
of Frobenius modulo many small primes, can be generalized in principle to higher genus. 



as noted by Pila [|rT|. However, using the method in practice requires producing explicit 
equations for the Jacobian of the curve, which is already nontrivial in genus 2 and probably 
hopeless in general. Satoh's method, which is to compute the Serre-Tate canonical lift, runs 
into a similar obstruction: the Serre-Tate lift of a Jacobian need not itself be a Jacobian, so 
computing with it is difficult. Satoh has proposed working instead with the formal group of 
the Jacobian. This is possible in principle, as the formal group can be expressed in terms of 
data on the curve, but the result again seems to be exponential in the genus. 
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In this paper, we develop an algorithm for counting points on hyperelliptic curves over 
finite fields of odd characteristic, which is polynomial in the genus of the curve. Our approach 
is to compute in the Monsky-Washnitzer (dagger) cohomology of an affine curve, which is 
essentially the de Rham cohomology of a lift of the curve to characteristic zero, endowed with 
an action of Frobenius. The action of Frobenius can be p-adically approximated efficiently 
using certain power series. 

As the approach is p-adic, the method shares with Satoh's algorithm the nature of its 
dependence on the input parameters. Namely, both algorithms are polynomial in the degree 
of the finite field over the prime field (with the same exponent), but are polynomial in 
the order of the prime field rather than in its logarithm. Additionally, our algorithm is 
polynomial in the genus of the hyperelliptic curve. To be specific, the running time of the 
algorithm is on the order of gf^+^ra^"'"^, where n is the field degree and g the genus, assuming 
that the curve has a rational Weierstrass point. (One should be able to achieve the same 
running time even without a rational Weierstrass point, but we have not checked this.) 

The strategy of counting points on a variety by computing in de Rham cohomology on a 
lift seems to be quite broadly applicable. In particular, there is no reason why it could not be 
applied to more general curves, or even to higher dimensional varieties (e.g., hypersurfaces 
in toric varieties). In fact, a related method has been introduced by Lauder and Wan [Q, 
who use Dwork's trace formula to give a p-adic algorithm for computing the zeta function 
of an arbitrary variety over a finite field. It is unclear how practical it will be to implement 
that algorithm; Lauder and Wan themselves suggest reinterpreting it in terms of a p-adic 
cohomology theory to make it easier to implement. 



2 Overview of ^^-adic cohomology 

We briefiy recall the formalism of Monsky-Washnitzer cohomology, as introduced by Monsky 
and Washnitzer 0, |@, and refined by van der Put [1^; details omitted here can be found 



therein. We first set some notations. Let A; be a perfect field of characteristic p > (which 
for us will always be a finite field), R a complete mixed characteristic discrete valuation ring 
with residue field k (e.g., the ring of Witt vectors W{k)), and m the maximal ideal of R. Let 
K be the fraction field of R. 

Let X be a smooth affine variety over k, A the coordinate ring of X, and A a smooth 
i?-algebra with A ®Fi k = A. Ordinarily, A will not admit a lift of the absolute Frobenius 
morphism on A, but its m-adic completion A°° will. Working with A°° is not satisfactory, 
however, because the de Rham cohomology of A°° is larger than that of A. The trouble is 
that the limit of exact differentials need not be exact: for example, if A = R[x], then the 
sum X^^o^*"^^""^ "^-^ defines a differential over A which is the limit of exact differentials but 
is not itself exact. 

To remedy the situation, Monsky and Washnitzer work with a subring of A°°, consist- 
ing of series which converge fast enough that their integrals also converge. Namely, fix 
Xi, . . . , Xm G whose images generate A over k. Monsky and Washnitzer define the weak 
completion of A as the subring of A°° consisting of elements z represent able, for some 
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real number c, as a„P„(xi, . . . , with a„ G and P„ an n-variate polynomial 

of total degree at most c(n + 1). One can show that the weak completion depends, up to 
noncanonical isomorphism, only on A. 

Monsky and Washnitzer then define the dagger cohomology groups H^{A;K) as the 
cohomology groups of the de Rham complex over K. Namely, let Vt denote the A^- 

module of differential forms over generated by symbols dx for x E K and subject 

to the relations d{xy) = xdy + ydx for all x and ?/, and dx = for x E K. Then the map 
d : — > A*+^fi given by 

X dyi A • ■ ■ A dyi = dx A dyi A ■ ■ • 

satisfies do d = 0, and thus makes the fi* into a complex, whose cohomology at fi* we call 
H^{A] K)] this group is in fact a /T- vector space. This construction is clearly functorial with 
respect to maps on dagger rings; in particular, if is an endomorphism of A'^ , it induces an 
endomorphism 0* on the cohomology groups. 

The point of this construction is that these cohomology groups satisfy the following 
Lefschetz fixed point formula. See van der Put 4.1] for a proof. 

Theorem 1 (Lefschetz fixed point formula). Let A be smooth and integral of dimen- 
sion n over ¥g. Suppose the weak completion A"^ of a lift of A admits an endomorphism F 
lifting the q-power Frohenius on A. Then the number of homomorphisms A — > Fg equals 

n 

Y,{-\yTr{sPF;^\W{A-K)). 

1=0 

In the original work of Monsky- Washnitzer, it was unknown whether the cohomology 
groups were necessarily finite dimensional as vector spaces over K] thus in the fixed point 
formula, the fact that the operator F~^ has a trace is a nontrivial part of the result. It was 
later shown by Berthelot [|^ that the vector spaces are indeed finite dimensional. Thus we 
can compute the traces in the fixed point formula by working in finite dimensional vector 
spaces. 

Summing up, we have the following general strategy for computing the zeta function of a 
smooth projective variety X over a finite field F^; we fiesh out this strategy in the particular 
case at hand in the rest of the paper. Choose an affine subvariety U of X, then compute 
the zeta function of X — f/, which is a closed subvariety of X of lower dimension. Then 
compute the action of a lift of Frobenius on the cohomology groups of U ; since one cannot 
exactly represent all elements of Vr(Fg), the action can only be computed to a certain p-adic 
precision. The net result is a p-adic approximation of the zeta function; by using enough 
precision, one can get a good enough approximation that the Riemann hypothesis component 
of the Weil conjectures uniquely determines the zeta function from this approximation. 

3 Cohomology of hyperelliptic curves 

In this section, let p be an odd prime. We describe the Monsky- Washnitzer cohomology of a 
hyperelliptic curve over a field of characteristic p in a concrete manner, suitable for explicit 
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computation of its zeta function; we will explicitly describe the computation in the next 
section. 

We begin by setting notation for this section and the next. Let Q{x) be a polynomial 
of degree 251 + 1 over without repeated roots, so that the closure in the projective plane 
of the affine curve — Q{x) is a smooth hyperelliptic curve C of genus g with a rational 
Weierstrass point. (One can handle the case where there is no rational Weierstrass point 
by similar methods, but we omit the details here.) Let C be the affine curve obtained 
from C by deleting the support of the divisor of y (that is, the point at infinity and the 
Weierstrass points); then the coordinate ring A of C is Fq[x,y,y^^]/{y^ — Q{x)). Let A = 
W{¥q)[x, y, y~^]/ (y^ — Q{x)) and let A^ be the weak completion of A. 

Before proceeding further, we give an explicit description of A^ . Namely, let Vp denote 
the p-adic valuation on W{¥q), and extend this norm to polynomials as follows: if P{x) = 
Y^QiX^, define Vp{P) = minj{fp(aj)}. Then the elements of A^ can be viewed as series 
Yl,'^=-ooi^n{x) + Tn{x)y)y'^"' , where Sn and T„ are polynomials of degree at most 2g, such 
that 

lim inf "'^ , lim inf , lim inf ^^^^ ""-^ ^ lim inf -^^ — — 

n— >oo n n— ►oo n n— +00 77, n— +00 77, 

are all positive. 

We can lift the p-power Probenius to an endomorphism cr of A^ by defining it as the 
canonical Witt vector Frobenius on ^^(F^), then extending to H^(Fg)[a;] by mapping x to x^, 
and finally setting 



Q{x)p 

^/l/2\ {Qixr-QixYY 



1=0 

00 



^ i J Q{x)P' 

(l/2)(l/2 - 1) • . . (1/2 + (Q(xr - QixYY 





Q{x)p^ 



and {y~^Y = {y"")^^- Let F = cr^°Sp9- then F is a lift of the g-power Frobenius, so we may 
apply the Lefschetz fixed point formula to it and use the result to compute the zeta function 
of C. We now describe how this is done. 

The de Rham cohomology of A splits into cigcnspaces under the hyperelliptic involu- 
tion: a positive eigenspace generated by x'^dx/y'^ for i = 0, ...,2(7 — 1, and a negative 
eigenspace generated by dx/y for i = {),... ,2g — 1. Indeed, any form can be written as 
Yln=-oo Ya=o^ (^hnx' dx / y"" , and the relation 

B\x) dx _ sB{x) dy sB{x)Q'{x)dx 
ys ~ ys+i ~ 2|/^+2 

(which follows from the equality 2ydy = Q'{x) dx) can be used to consolidate everything into 
the n = 1 and n = 2 terms. Specifically, when s > 1, we can write an arbitrary polynomial 
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B{x) as R{x)Q{x) + S{x)Q'{x) for some polynomials R, S (since Q has no repeated roots), 
and then write 

B{x) dx _ R{x) dx ^ 2S'{x) dx 
ys ys-2 2)y^~'^ 

On the other side, a differential B{x) dx/y with B a polynomial of degree greater than 2g 
can be reduced using the identity [S{x)Q'{x) +2S'{x)Q{x)]dx/y = 0. For S{x) = the 
expression in brackets has degree m and leading term {2g + 1) + 2(m — 2g) = 2m — 2g + 1^0, 
so a suitable multiple can be subtracted from B to reduce its degree. 

To carry out provably correct computations, we need explicit estimates on the denom- 
inators introduced by the aforementioned reduction process. We now prove a lemma that 
provides the needed estimate. (The approach is similar to that of the proof of [§, Lemma 4.1].) 

Lemma 2. Let A{x) be a polynomial over W{¥q) of degree at most 2g. Then for m > 0, 
the reduction of uj = A{x) dx / y"^^^^ becomes integral upon multiplication pl-^°gp(2m+i)j ^ 

Proof. Let B{x) dx/y be the reduction of A{x) dx/y'^^'^^, and / the function such that df = 
A{x) dx/y'^'^'^^ — B{x) dx/y. Write / = J2]jLo^ji^)/y'^'^~^^ where each Fj has degree at most 
2g. Let ro, . . . , r2g be the roots of Q{x) over W(¥g) and Tq, . . . , the corresponding points 
on the curve y"^ = Q{x). Then / has poles at Tq, . . . , and possibly at infinity. 

Let Ri be the completion of the local ring of W(¥g)[x,y]/ {y"^ — Q{x)) at Tj, and let Ki 
the fraction field of Rf, then the maximal ideal of Ri is generated by y, and within Ri, x 
can be written as a power series in y with integral coefficients. Then the image of df in 
the module ^Ki/w{W^) differentials can be written as ^^.^ CLiku'^^''^ dy, and the aik are 
integral for k < (since they coincide with the corresponding coefficients in the expansion 
of u). 

The map d commutes with the passage to the completed local ring, so the image of / 
in Ki is equal to ZlfcL-m '^ifc2/^^~V(2^ - !)• Now note that / - Zlfci-L has a 
pole of order at most 2j + 1 at each Tj, and its image in Ki has leading term Fj{ri)y~'^^~^. 
Consequently, if n is an integer such that naik/{2k — 1) is integral for i = 0,. . . ,2g and 
k = —1, . . . , — m, then nf is integral. Specifically, we have that nF-m{fi) is integral for 
i = 1, . . . ,2g + 1; since the rj are distinct modulo p, that implies that nF_rn{x) is integral. 
Applying the same argument to nf — nF_m{x), we deduce that nF„m+i(a^) is integral, and 
so forth. 

In particular, we may take n = pLiogp(2m-+i)J _ Then nf is integral, as is the reduction of 
nu, which yields the desired conclusion. □ 

One can make the following analogous assertion for the reduction process in the other direc- 
tion, using the local ring at infinity instead of at the Tj. We omit the proof. 

Lemma 3. Let A{x) be a polynomial over W{¥q) of degree at most 2g. Then for m > 0, 
the reduction of cu = A{x)y'^"^^^ dx becomes integral upon multiplication pl-'°Sp(2™-+i)J , 
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In particular, the basis we have chosen of the de Rham cohomology of A is also a basis 
of H\A; K). 

Let F = cr^°Sp^ denote the g-power Frobenius. By the Lefschetz fixed point formula 
(Theorem |l]) applied to C and its image under quotienting by the hyperelliptic involution, 
we have 

= TT{q'F-\ H\A; K)) - Ti{q'F-\ H\A; K)) 

= q' - Tr{q'F~\ H\A; K)+) - Tr{q'F-\ H\A; K)_) 

= Tr{q'F-\ H\A; K)+) - Ti{q'F~\ H\A; K)+) - Ti{q'F-\ H\A; K).) 

= #pi(F,0 -Tr(g^F-\ifi(A;ir)_) 

= (g* + 1 - 2g) - TT{q'F~\ H\A; K)^). 

Thus g + 1 — #C(Fqi) equals the trace of on the negative eigenspace of H^{A] K). 

By the Weil conjectures (see [||, Appendix C] for details), there exists a polynomial 
+ aix^^~^ + ■ ■ ■ + cL2g whose roots ai, . . . , a2g satisfy ajOg+j = g for j = 1, . . . , (7, la^l = ^g 

for j = 1, . . . , 2(7, and 

g + l-#C(F,0 = $^«} 
i=i 

for all i > 0. Thus the eigenvalues of qF~^ on H^{A\K)- are precisely the a^, as are the 
eigenvalues of F itself. Since = a2g-i, it suffices to determine ai, . . . , a^. Moreover, is 
the sum of (^^^) i-fold products of eigenvalues of Frobenius, so for z = 1, . . . , gf, 

\ai\ < i^f^q'/^ <2^3q^'\ 

Thus to determine the zeta function, it suffices to compute the action of F on a suitable 
basis of H^{A] K)_ modulo p^^ for Ni > {g/2)n + (2g + 1) logp2. Thanks to Lemma |^, we 
can determine explicitly how much computation is needed to determine this action. 
The action of the p-power Frobenius cr on differentials is given by 

rA{x)dxy _ pA{xyxp-Ux / pe{x)Y^^''^^^^^ 

y y2k+l J ~ yp{2k+l) + y2p J ' 

where we set pE{x) = Q{xY — Q{xy. We can rewrite this expression as a power series 
Ai{x)y~'^^~^ dx, where each polynomial Ai{x) has degree at most 2g. 
Notice that if i > p{2k + l)/2 + pm, then Ai{x) is divisible by p™', and by Lemma 0, the 

reduction of Ai(x)y^'^^^^ dx will be divisible by p™-^\-^°Sp{'2m+i)\ ^ Therefore the reduction of 

{A{x)y'''^''~^ dxY is determined by the Ai with i < Ni + \ogp{2Ni). 
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4 An algorithm for computing Frobenius 



Using the results of the previous section, we now describe an algorithm for computing the 
characteristic polynomial of Frobenius on a hyperelliptic curve C of genus g over with 
q = p"-. We maintain the notation of the previous section. 

Step 1: Compute Frobenius on y 

Compute a sequence of polynomials Aq{x), Ai{x), Api^_i{x) over W(¥q)/{p'^'^), each of degree 
at most 2g, such that 

1 ^ + Qixr-Q{xr \ 

^yV^AAx) 



y2l 
i = ^ 



as a power series in y over W{¥q)/{p'^'^) modulo y using a Newton iteration. Specifi- 
cally, recall that for s G 1 + to compute s~^/^ we may set Xq = 1 and 



= - -sx^ (mod t 

then Xi = (mod t^'). The dominant operation in this iteration is the cubing, which 

can be done in asymptotically optimal time by, for instance, packing Xi into an integer and 
applying the Schonhage-Strassen algorithm for fast integer multiplication. 

Step 2: Compute Frobenius on differentials 

For i = 0, . . . ,2g — 1, compute the reduction of (x* dx/yY as follows. Using the computation 
of l/y" carried out in the first step, write 

f x'^ dx^^ (ix G{x)dx Fi{x) dx . _2pN~3\ 

where degFj < 2g ~ 1; for notational convenience, set Fo{x) = 0. Then compute Sk{x) 
for k = 2pN,2pN — as follows. Let S2pn{x) = F2pn{x). Given Sk+i{x), find 

polynomials A^+ii^x) and Bk+i{x) such that A^^iQ + B^^iQ' = Sk+i- Then set Sk{x) = 
Fk + Ai:^i + 2Bk+i/{2k — l). By the reduction argument from the previous section, (x* dx/yY 
is cohomologous to (S'o(x) + G{x)) dx/y. 

Note that the above computation cannot be performed in W{¥q)/{p^) as written, be- 
cause of the division by 2 A; — 1. To remedy this, interpret 2Bk+i/ {2k — 1) to mean any 
polynomial over W{¥q)/{p^) which, when multiplied by 2k — 1, equals 2B].^i. Lemma ^ 
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implies both that any discrepancy introduced in Sk in case 2A; — 1 is divisible by p has no 
effect on Si modulo p^^, and that Bk^i/{2k — 1) always has integral coefficients. 

By construction, Sq has degree at most 2g, but G can have degree up to 2pg — 1, so we 
must reduce G{x) dx/y in cohomology as well. For j = degG — 2g + 1, set Gj{x) = G{x); 
for k = j,j — 1, . . . , 1, let Gk-i be the remainder of Gk{x) modulo x''~^Q'{x) + 2{k — 
l)x'^~'^Q{x). (When the latter has leading coefficient divisible by p, we may again fill the high 
p-adic digits arbitrarily without affecting the final result of the computation, by Lemma 3.) 
Then G{x) dx/y is cohomologous to Gq{x) dx/y, and so (a;* dx/yY is cohomologous to (5*1 + 
Go) dx/y. 

Step 3: Compute characteristic polynomial 

From the previous step, we may extract the matrix M through which the p-power Frobenius 
acts on a basis of cohomology over W{¥q)/{p^). Compute M' = M M'' M"^ ■ ■ ■ M''"~\ 
determine the characteristic polynomial of M', and recover the characteristic polynomial of 
Frobenius from the first g coefficients modulo p^ . 

In case one wants only the Newton polygon of Frobenius and not its full characteristic 
polynomial, some savings may be possible in this step. On one hand, although the Newton 
polygon can be computed directly from the p-Frobenius, it is not given by the characteristic 
polynomial of the matrix M in general. On the other hand, this does work in case M = DA 
with D diagonal and A congruent to the identity matrix modulo p, and in some cases it may 
be easy to select a basis for which this holds. 



5 Resource analysis 

We now analyze the space and time requirements of the algorithm for a curve of genus g over 
Fpn (keeping p fixed). Before proceeding through the individual steps, we make some general 
observations about the implementation of low-level operations that permeate the discussion. 

All ring operations in the algorithm take place in the degree n unramified extension of 
Zp/lp^), and each element of this ring requires 0{gn'^) storage space. Using fast integer 
multiplication as noted above, individual multiplications and divisions in the ring can be 
accomplished in time 0{g^~^'^n'^^'^). 

Applying any power r = o"'^ of the ring automorphism a can be accomplished in time 
0{g^^''n^^'') as follows. Suppose the base ring is represented as Zp/ {p^)[a] where P{a) = 0. 
Compute an element of the residue field congruent to mod p by repeated squarings. 
Then use Newton's iteration to compute a'^ from this. Now to compute G{ay, for G a 
polynomial over Zp/(p^), evaluate G at a'^ using Horner's method, or (better in practice) 
the Paterson-Stockmeyer algorithm |jTO|, using 0{n) multiplications in "Lpip^). 

In Step 1, we compute 0{gn) terms of l/y'^; each term consists of a polynomial in x of 
degree at most 2g — 1, which requires O^g'^m?') space to store. Thus the entire expression 
requires space 0{g^n^) and time 0{g^^'^n^~^'^) to compute. 
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In Step 2, the dominant step in each reduction is writing a polynomial T of degree at 
most 2(7 — 1 as AQ + BQ'. This can be done by precomputing polynomials R and S of 
degrees 2g — 1 and 2g, respectively, such that RQ + SQ' = 1, then computing A as the 
reduction of TQ modulo Q' and B as the reduction of SQ' modulo Q. Since the polynomials 
in question require space 0{g'^~^'^n'^~^'^) each, this extended GCD operation can be performed 
in time 0{g^'^'^n'^^'^)] see The reduction step is performed 0{gn) times for each of 2g 
forms, for a total of 0{g^^'^n^^'^) time. 

In Step 3, we begin with 8i2g x2g matrix M each of whose entries has size 0{gn^), and 
must compute M' = MM°' ■ ■ ■ M"" by repeated squaring. Specifically, we can compute 
Ml = MM", Ms = MiMf", M3 = M2Mf and so on, then combine these as in the usual 
repeated squaring method for exponentation to compute M'. This process requires O(logn) 
multiplications of 2g x 2g matrices and 0{g^ logra) applications of powers of a (specifically, of 
powers of the form a'" for m a power of 2). The former requires 0{g^\ogn) ring operations, 
at a cost of 0{g^^^n'^^'^) time; the latter requires 0{g^^'^TV'^^) time. 

We then must compute the characteristic polynomial of M'. This can be accomplished 
in 0{g^) ring operations, e.g., by computing v, Mv, M'^v, . . . until these fail to be linearly 
independent, then inverting a matrix to obtain a factor of the characteristic polynomial, and 
repeating as needed. This translates into a time cost of 0{g'^~^'^n'^~^'^). 

Overall, the dominant factors are g'^'^^ and n^^*^. Note, however, that one factor of g 
can be saved in a parallel computation in Step 2, by computing the Frobenius on each basis 
vector simultaneously. On the other hand, the factor g'^'^'^ remains as a bottleneck in Step 3 
and does not appear to be readily moUifiable by parallelism. Likewise, a parallel approach 
does not appear to mollify the factor of n'^^^ appearing throughout the analysis. 
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